The Guarantor for the protection of personal data has approved new guidelines on cookies, with the aim of strengthening users’ decision-making power regarding the use of their personal data when browsing online. The measure was adopted taking into account the results of the public consultation launched at the end of last year. Just click on the banner to not be tracked. And the owners of the sites will have 6 months to comply with the principles contained in the Guidelines.
The Guarantor hopes that a universally accepted coding of cookies will soon be reached, which is absent today, which allows to objectively distinguish technical cookies from analytics or profiling cookies. Pending achieving this goal, the Guarantor calls on publishers to make manifest in the information at least the coding criteria of the trackers adopted by each one.
The update of the previous 2014 Guidelines was necessary in the light of the innovations introduced by the European regulation on privacy, but has its reasons also in a number of other factors: the experience gained in recent years (based on numerous complaints, reports and requests for opinions received by the Offices) on the incorrect implementation of the procedures for providing information to users and for acquiring consent to the use of their data; the growing use of particularly invasive tracers; the multiplication of users’ digital identities which favors the crossing of their data and the creation of increasingly detailed profiles.
The mechanism for acquiring consent online must first of all ensure that, by default, at the time of the first access to a website, no cookies or other tools other than technical ones are placed on the user’s device or used. other active tracking technique (for example, third-party cookies) or passive (for example, fingerprinting).
According to the new Guidelines, in compliance with the EU Regulation, the information to users must also indicate any other recipients of personal data and the retention times of the information. And it can also be rendered on multiple channels and in different ways (for example, with pop ups, videos, voice interactions). The obligation to provide information only for technical cookies remains confirmed, also included in the general information. The Guarantor then recommends that analytics cookies, used to evaluate the effectiveness of a service, are used only for statistical purposes.
As for the consent, for profiling cookies it will always be necessary to request it through a clearly distinguishable banner on the web page, through which users must also be offered the possibility to continue browsing without being tracked in any way, for example by closing the banner by clicking on the X feature to be inserted at the top right.
With regard to scrolling in particular, the Guarantor specifies that simply moving the cursor down (scroll down) does not represent a suitable manifestation of consent. The owners of the sites (publishers) will eventually have to insert scrolling in a more complex process in which the user is able to generate an event, which can be recorded and documented on the site server, which can be qualified as a positive action suitable for manifesting in unequivocal manner the will to give consent to the processing.
The Authority also underlines that the resubmission of the banner at each new access for the request for consent to users who previously denied it does not find reason in the legal obligations and is a redundant and invasive measure. The user’s choice, therefore, must be duly recorded and no longer solicited, unless the conditions of the processing significantly change; it is impossible to know if a cookie is already stored in the device; at least 6 months have passed. In any case, users have the right to revoke the consent previously given at any time.